The ride sharing app's computer network suffered a breach on Thursday (15.09.22) with the company now saying the attacker hacked into the account of an NXT contractor, most likely after buying the employee's credentials on the dark web.
In a security update on Monday (19.09.22), Uber said: "An Uber EXT contractor had their account compromised by an attacker.
"It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials.
"The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access.
"Eventually, however, the contractor accepted one, and the attacker successfully logged in."
The attacker then accessed other employee accounts, subsequently getting permission to several tools including G-Suite and Slack.
Uber has "security monitoring processes" already in place, allowing the teams to "quickly identify the issue and move to respond", and thus "ensure user data was secure and that Uber services were not affected".
An investigation is ongoing, but the company doesn't think the attacker accessed the public-facing systems, while no changes were made to the codebase, and it's not believed they accessed any customer or user data.
Uber continued: "We believe that this attacker (or attackers) are affiliated with a hacking group called Lapsus$, which has been increasingly active over the last year or so. "This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, Nvidia and Okta, among others.
"There are also reports over the weekend that this same actor breached video game maker Rockstar Games.
"We are in close coordination with the FBI and US Department of Justice on this matter and will continue to support their efforts."